Remote attestation for multi-core processor

ABSTRACT

The disclosed technology is generally directed to the authentication of software. In one example of the technology, a private attestation key is stored in hardware. In some examples, during a sequential boot process a hash is calculated, in an order in which the software stages are sequentially booted, of each software stage of a plurality of software stages. The hashes of each software stage of the plurality may be cryptographically appended to an accumulation register. The accumulation register may be used to attest to validity of the software stages. The plurality of software stages may include a first bootloader, a runtime for a first core of a multi-core processor, and a runtime for a first execution environment for a second core of the multi-core processor.

BACKGROUND

The Internet of Things (“IoT”) generally refers to a system of devicescapable of communicating over a network. The devices can includeeveryday objects such as toasters, coffee machines, thermostat systems,washers, dryers, lamps, automobiles, and the like. The networkcommunications can be used for device automation, data capture,providing alerts, personalization of settings, and numerous otherapplications.

SUMMARY OF THE DISCLOSURE

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

Briefly stated, the disclosed technology is generally directed to theauthentication of software. In one example of the technology, a privateattestation key is stored in hardware. In some examples, during asequential boot process a hash is calculated, in an order in which thesoftware stages are sequentially booted, of each software stage of aplurality of software stages. The hashes of each software stage of theplurality may be cryptographically appended to an accumulation register.The accumulation register may be used to attest to validity of thesoftware stages. The plurality of software stages may include a firstbootloader, a runtime for a first core of a multi-core processor, and aruntime for a first execution environment for a second core of themulti-core processor.

Other aspects of and applications for the disclosed technology will beappreciated upon reading and understanding the attached figures anddescription.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive examples of the present disclosure aredescribed with reference to the following drawings. In the drawings,like reference numerals refer to like parts throughout the variousfigures unless otherwise specified. These drawings are not necessarilydrawn to scale.

For a better understanding of the present disclosure, reference will bemade to the following Detailed Description, which is to be read inassociation with the accompanying drawings, in which:

FIG. 1 is a block diagram illustrating one example of a suitableenvironment in which aspects of the technology may be employed;

FIG. 2 is a block diagram illustrating one example of a suitablecomputing device according to aspects of the disclosed technology;

FIG. 3 is a block diagram illustrating an example of a system;

FIG. 4 is a block diagram illustrating an example of the multi-coreprocessor of FIG. 3; and

FIGS. 5A-5B are a flow diagram illustrating an example process forremote attestation for a multi-core processor in accordance with aspectsof the present disclosure.

DETAILED DESCRIPTION

The following description provides specific details for a thoroughunderstanding of, and enabling description for, various examples of thetechnology. One skilled in the art will understand that the technologymay be practiced without many of these details. In some instances,well-known structures and functions have not been shown or described indetail to avoid unnecessarily obscuring the description of examples ofthe technology. It is intended that the terminology used in thisdisclosure be interpreted in its broadest reasonable manner, even thoughit is being used in conjunction with a detailed description of certainexamples of the technology. Although certain terms may be emphasizedbelow, any terminology intended to be interpreted in any restrictedmanner will be overtly and specifically defined as such in this DetailedDescription section. Throughout the specification and claims, thefollowing terms take at least the meanings explicitly associated herein,unless the context dictates otherwise. The meanings identified below donot necessarily limit the terms, but merely provide illustrativeexamples for the terms. For example, each of the terms “based on” and“based upon” is not exclusive, and is equivalent to the term “based, atleast in part, on”, and includes the option of being based on additionalfactors, some of which may not be described herein. As another example,the term “via” is not exclusive, and is equivalent to the term “via, atleast in part”, and includes the option of being via additional factors,some of which may not be described herein. The meaning of “in” includes“in” and “on.” The phrase “in one embodiment,” or “in one example,” asused herein does not necessarily refer to the same embodiment orexample, although it may. Use of particular textual numeric designatorsdoes not imply the existence of lesser-valued numerical designators. Forexample, reciting “a widget selected from the group consisting of athird foo and a fourth bar” would not itself imply that there are atleast three foo, nor that there are at least four bar, elements.References in the singular are made merely for clarity of reading andinclude plural references unless plural references are specificallyexcluded. The term “or” is an inclusive “or” operator unlessspecifically indicated otherwise. For example, the phrases “A or B”means “A, B, or A and B.” As used herein, the terms “component” and“system” are intended to encompass hardware, software, or variouscombinations of hardware and software. Thus, for example, a system orcomponent may be a process, a process executing on a computing device,the computing device, or a portion thereof.

Briefly stated, the disclosed technology is generally directed to theauthentication of software. In one example of the technology, a privateattestation key is stored in hardware. In some examples, during asequential boot process a hash is calculated, in an order in which thesoftware stages are sequentially booted, of each software stage of aplurality of software stages. The hashes of each software stage of theplurality may be cryptographically appended to an accumulation register.The accumulation register may be used to attest to validity of thesoftware stages. A multi-core processor may be used in IoT devices andin other contexts. In some examples, the multi-core processor mayprovide network connectivity, for the IoT device, as well as variousother functions including hardware and software security, a monitoredoperating system, cryptographic functions, peripheral control,telemetry, and/or the like.

When the IoT device with a multi-core processor connects to a network toreceive IoT services, the IoT services may first request attestation inorder to verify that the software on the multi-core processor is notcompromised. The IoT service may thereby issue a challenge.

In some examples, the multi-core processor may include an accumulationregister having a value that is reset to zero in response to a reboot,and modification of the value of the accumulation register is limited tooperations that cryptographically append a value to the accumulationregister, or otherwise. For example, the cryptographic appending of thevalue replaces a current value of the register with a cryptographic hashcalculated from, for example, a concatenation or other combination ofthe “current” value of the register and the “to-be-appended data.” Thishash may be a one-way hash, e.g., such that the hash and part of thedata for which the hash is generated is generally insufficient torecover another part of the data for which the hash was generated.

In some examples, during boot, software stages are sequentially bootedbased on a chain of trust that corresponds to a defense-in-depthhierarchy. In some examples, as each software stage is sequentiallybooted, a hash is taken of the software stage, and the hash iscryptographically appended to the accumulation register.

The multi-core processor may respond to the attestation challenge with aresponse that includes the value of the accumulation register.Additionally, in some examples, the response to the challenge is signedwith a private attestation key. The IoT services may receive theresponse to the challenge, verify that that the value of theaccumulation register is correct, and validate the signature with thepublic attestation key.

Illustrative Devices/Operating Environments

FIG. 1 is a diagram of environment 100 in which aspects of thetechnology may be practiced. As shown, environment 100 includescomputing devices 110, as well as network nodes 120, connected vianetwork 130. Even though particular components of environment 100 areshown in FIG. 1, in other examples, environment 100 can also includeadditional and/or different components. For example, in certainexamples, the environment 100 can also include network storage devices,maintenance managers, and/or other suitable components (not shown).Computing devices 110 shown in FIG. 1 may be in various locations,including on premise, in the cloud, or the like. For example, computerdevices 110 may be on the client side, on the server side, or the like.

As shown in FIG. 1, network 130 can include one or more network nodes120 that interconnect multiple computing devices 110, and connectcomputing devices 110 to external network 140, e.g., the Internet or anintranet. For example, network nodes 120 may include switches, routers,hubs, network controllers, or other network elements. In certainexamples, computing devices 110 can be organized into racks, actionzones, groups, sets, or other suitable divisions. For example, in theillustrated example, computing devices 110 are grouped into three hostsets identified individually as first, second, and third host sets 112a-112 c. In the illustrated example, each of host sets 112 a-112 c isoperatively coupled to a corresponding network node 120 a-120 c,respectively, which are commonly referred to as “top-of-rack” or “TOR”network nodes. TOR network nodes 120 a-120 c can then be operativelycoupled to additional network nodes 120 to form a computer network in ahierarchical, flat, mesh, or other suitable types of topology thatallows communications between computing devices 110 and external network140. In other examples, multiple host sets 112 a-112 c may share asingle network node 120. Computing devices 110 may be virtually any typeof general- or specific-purpose computing device. For example, thesecomputing devices may be user devices such as desktop computers, laptopcomputers, tablet computers, display devices, cameras, printers, orsmartphones. However, in a data center environment, these computingdevices may be server devices such as application server computers,virtual computing host computers, or file server computers. Moreover,computing devices 110 may be individually configured to providecomputing, storage, and/or other suitable computing services.

In some examples, one or more of the computing devices 110 is an IoTdevice, a device that comprises part or all of an IoT hub, a devicecomprising part or all of an application back-end, or the like, asdiscussed in greater detail below.

Illustrative Computing Device

FIG. 2 is a diagram illustrating one example of computing device 200 inwhich aspects of the technology may be practiced. Computing device 200may be virtually any type of general- or specific-purpose computingdevice. For example, computing device 200 may be a user device such as adesktop computer, a laptop computer, a tablet computer, a displaydevice, a camera, a printer, or a smartphone. Likewise, computing device200 may also be server device such as an application server computer, avirtual computing host computer, or a file server computer, e.g.,computing device 200 may be an example of computing device 110 ornetwork node 120 of FIG. 1. Computing device 200 may also be an IoTdevice that connects to a network to receive IoT services. Likewise,computer device 200 may be an example any of the devices illustrated inor referred to in FIGS. 3-5, as discussed in greater detail below. Asillustrated in FIG. 2, computing device 200 includes processing circuit210, operating memory 220, memory controller 230, data storage memory250, input interface 260, output interface 270, and network adapter 280.Each of these afore-listed components of computing device 200 includesat least one hardware element.

Computing device 200 includes at least one processing circuit 210configured to execute instructions, such as instructions forimplementing the herein-described workloads, processes, or technology.Processing circuit 210 may include a microprocessor, a microcontroller,a graphics processor, a coprocessor, a field-programmable gate array, aprogrammable logic device, a signal processor, or any other circuitsuitable for processing data. Processing circuit 210 is an example of acore. The aforementioned instructions, along with other data (e.g.,datasets, metadata, operating system instructions, etc.), may be storedin operating memory 220 during run-time of computing device 200.Operating memory 220 may also include any of a variety of data storagedevices/components, such as volatile memories, semi-volatile memories,random access memories, static memories, caches, buffers, or other mediaused to store run-time information. In one example, operating memory 220does not retain information when computing device 200 is powered off.Rather, computing device 200 may be configured to transfer instructionsfrom a non-volatile data storage component (e.g., data storage component250) to operating memory 220 as part of a booting or other loadingprocess. In some examples, other forms of execution may be employed,such as execution directly from data storage memory 250, e.g., eXecuteIn Place (XIP).

Operating memory 220 may include 4^(th) generation double data rate(DDR4) memory, 3^(rd) generation double data rate (DDR3) memory, otherdynamic random access memory (DRAM), High Bandwidth Memory (HBM), HybridMemory Cube memory, 3D-stacked memory, static random access memory(SRAM), magnetoresistive random access memory (MRAM), pseudostaticrandom access memory (PSRAM), or other memory, and such memory maycomprise one or more memory circuits integrated onto a DIMM, SIMM,SODIMM, Known Good Die (KGD), or other packaging. Such operating memorymodules or devices may be organized according to channels, ranks, andbanks. For example, operating memory devices may be coupled toprocessing circuit 210 via memory controller 230 in channels. Oneexample of computing device 200 may include one or two DIMMs perchannel, with one or two ranks per channel. Operating memory within arank may operate with a shared clock, and shared address and commandbus. Also, an operating memory device may be organized into severalbanks where a bank can be thought of as an array addressed by row andcolumn. Based on such an organization of operating memory, physicaladdresses within the operating memory may be referred to by a tuple ofchannel, rank, bank, row, and column.

Despite the above-discussion, operating memory 220 specifically does notinclude or encompass communications media, any communications medium, orany signals per se.

Memory controller 230 is configured to interface processing circuit 210to operating memory 220. For example, memory controller 230 may beconfigured to interface commands, addresses, and data between operatingmemory 220 and processing circuit 210. Memory controller 230 may also beconfigured to abstract or otherwise manage certain aspects of memorymanagement from or for processing circuit 210. Although memorycontroller 230 is illustrated as single memory controller separate fromprocessing circuit 210, in other examples, multiple memory controllersmay be employed, memory controller(s) may be integrated with operatingmemory 220, or the like. Further, memory controller(s) may be integratedinto processing circuit 210. These and other variations are possible.

In computing device 200, data storage memory 250, input interface 260,output interface 270, and network adapter 280 are interfaced toprocessing circuit 210 by bus 240. Although, FIG. 2 illustrates bus 240as a single passive bus, other configurations, such as a collection ofbuses, a collection of point to point links, an input/output controller,a bridge, other interface circuitry, or any collection thereof may alsobe suitably employed for interfacing data storage memory 250, inputinterface 260, output interface 270, or network adapter 280 toprocessing circuit 210.

In computing device 200, data storage memory 250 is employed forlong-term non-volatile data storage. Data storage memory 250 may includeany of a variety of non-volatile data storage devices/components, suchas non-volatile memories, disks, disk drives, hard drives, solid-statedrives, or any other media that can be used for the non-volatile storageof information. However, data storage memory 250 specifically does notinclude or encompass communications media, any communications medium, orany signals per se. In contrast to operating memory 220, data storagememory 250 is employed by computing device 200 for non-volatilelong-term data storage, instead of for run-time data storage.

Also, computing device 200 may include or be coupled to any type ofprocessor-readable media such as processor-readable storage media (e.g.,operating memory 220 and data storage memory 250) and communicationmedia (e.g., communication signals and radio waves). While the termprocessor-readable storage media includes operating memory 220 and datastorage memory 250, the term “processor-readable storage media,”throughout the specification and the claims whether used in the singularor the plural, is defined herein so that the term “processor-readablestorage media” specifically excludes and does not encompasscommunications media, any communications medium, or any signals per se.However, the term “processor-readable storage media” does encompassprocessor cache, Random Access Memory (RAM), register memory, and/or thelike.

Computing device 200 also includes input interface 260, which may beconfigured to enable computing device 200 to receive input from users orfrom other devices. In addition, computing device 200 includes outputinterface 270, which may be configured to provide output from computingdevice 200. In one example, output interface 270 includes a framebuffer, graphics processor, graphics processor or accelerator, and isconfigured to render displays for presentation on a separate visualdisplay device (such as a monitor, projector, virtual computing clientcomputer, etc.). In another example, output interface 270 includes avisual display device and is configured to render and present displaysfor viewing. In yet another example, input interface 260 and/or outputinterface 270 may include a universal asynchronous receiver/transmitter(“UART”), a Serial Peripheral Interface (“SPI”), Inter-IntegratedCircuit (“I2C”), a General-purpose input/output (GPIO), and/or the like.Moreover, input interface 260 and/or output interface 270 may include orbe interfaced to any number or type of peripherals.

In the illustrated example, computing device 200 is configured tocommunicate with other computing devices or entities via network adapter280. Network adapter 280 may include a wired network adapter, e.g., anEthernet adapter, a Token Ring adapter, or a Digital Subscriber Line(DSL) adapter. Network adapter 280 may also include a wireless networkadapter, for example, a Wi-Fi adapter, a Bluetooth adapter, a ZigBeeadapter, a Long Term Evolution (LTE) adapter, SigFox, LoRa, Powerline,or a 5G adapter.

Although computing device 200 is illustrated with certain componentsconfigured in a particular arrangement, these components and arrangementare merely one example of a computing device in which the technology maybe employed. In other examples, data storage memory 250, input interface260, output interface 270, or network adapter 280 may be directlycoupled to processing circuit 210, or be coupled to processing circuit210 via an input/output controller, a bridge, or other interfacecircuitry. Other variations of the technology are possible.

Some examples of computing device 200 include at least one memory (e.g.,operating memory 220) adapted to store run-time data and at least oneprocessor (e.g., processing unit 210) that is adapted to executeprocessor-executable code that, in response to execution, enablescomputing device 200 to perform actions.

Illustrative Systems

FIG. 3 is a block diagram illustrating an example of a system (300).System 300 may include network 330, IoT support service 351, IoT devices341 and 342, and application back-end 313, which all connect to network330. The term “IoT device” refers to a device intended to make use ofIoT services. An IoT device can include virtually any device thatconnects to the cloud to use IoT services, including for telemetrycollection or any other purpose. IoT devices include any devices thatcan connect to a network to make use of IoT services. IoT devices caninclude everyday objects such as toasters, coffee machines, thermostatsystems, washers, dryers, lamps, automobiles, and the like. IoT devicesmay also include, for example, a variety of devices in a “smart”building including lights, temperature sensors, humidity sensors,occupancy sensors, and the like. The IoT services for the IoT devicescan be used for device automation, data capture, providing alerts,and/or personalization of settings. However, the foregoing list merelyincludes some of the many possible users for IoT services. Such servicesmay be employed for, or in conjunction with, numerous otherapplications, whether or not such applications are discussed herein.

Application back-end 313 refers to a device, or multiple devices such asa distributed system, that performs actions that enable data collection,storage, and/or actions to be taken based on the IoT data, includinguser access and control, data analysis, data display, control of datastorage, automatic actions taken based on the IoT data, and/or the like.In some examples, at least some of the actions taken by the applicationback-end may be performed by applications running in applicationback-end 313.

The term “IoT support service” refers to a device, or multiple devicessuch as a distributed system, to which, in some examples, IoT devicesconnect on the network for IoT services. In some examples, the IoTsupport service is an IoT hub. In some examples, the IoT hub isexcluded, and IoT devices communicate with an application back-end,directly or through one or more intermediaries, without including an IoThub, and a software component in the application back-end operates asthe IoT support service. IoT devices receive IoT services viacommunication with the IoT support service.

Each of the IoT devices 341 and 342, and/or the devices that compriseIoT support service 351 and/or application back-end 313 may includeexamples of computing device 200 of FIG. 2. The term “IoT supportservice” is not limited to one particular type of IoT service, butrefers to the device to which the IoT device communicates, afterprovisioning, for at least one IoT solution or IoT service. That is, theterm “IoT support service,” as used throughout the specification and theclaims, is generic to any IoT solution. The term IoT support servicesimply refers to the portion of the IoT solution/IoT service to whichprovisioned IoT devices communicate. In some examples, communicationbetween IoT devices and one or more application back-ends occur with anIoT support service as an intermediary. The IoT support service is inthe cloud, whereas the IoT devices are edge devices. FIG. 3 and thecorresponding description of FIG. 3 in the specification illustrates anexample system for illustrative purposes that does not limit the scopeof the disclosure.

One or more of the IoT devices 341 and 342 may include a multi-coreprocessor 345. Each multi-core processor 345 may have a secure bootmechanism using cross-core validation and multiple mutations of a secretdevice key, with sequentially booting using a chain of trust thatcorresponds to a defense-in-depth hierarchy of multi-core processor 345,as discussed in greater detail below.

Network 330 may include one or more computer networks, including wiredand/or wireless networks, where each network may be, for example, awireless network, local area network (LAN), a wide-area network (WAN),and/or a global network such as the Internet. On an interconnected setof LANs, including those based on differing architectures and protocols,a router acts as a link between LANs, enabling messages to be sent fromone to another. Also, communication links within LANs typically includetwisted wire pair or coaxial cable, while communication links betweennetworks may utilize analog telephone lines, full or fractionaldedicated digital lines including T1, T2, T3, and T4, IntegratedServices Digital Networks (ISDNs), Digital Subscriber Lines (DSLs),wireless links including satellite links, or other communications linksknown to those skilled in the art. Furthermore, remote computers andother related electronic devices could be remotely connected to eitherLANs or WANs via a modem and temporary telephone link. In essence,network 330 includes any communication method by which information maytravel between IoT support service 351, IoT devices 341 and 342, andapplication back-end 313. Although each device or service is shownconnected as connected to network 330, that does not mean that eachdevice communicates with each other device shown. In some examples, somedevices/services shown only communicate with some other devices/servicesshown via one or more intermediary devices. Also, other network 330 isillustrated as one network, in some examples, network 330 may insteadinclude multiple networks that may or may not be connected with eachother, with some of the devices shown communicating with each otherthrough one network of the multiple networks and other of the devicesshown communicating with each other with a different network of themultiple networks.

As one example, IoT devices 341 and 342 are devices that are intended tomake use of IoT services provided by the IoT support service, which, insome examples, includes one or more IoT support services, such as IoTsupport service 351. Application back-end 313 includes a device ormultiple devices that perform actions in providing a device portal tousers of IoT devices.

In some examples, IoT support service 351 may request and/or require anIoT device attempting to connect to IoT support service 351 to remotelyattest to the validity of the software running on the IoT device as partof the connection process, and/or before any further messages, work, orinformation may be exchanged. Remote attestation may be used to verifythat, at the moment attestation is completed, the software in themulti-core processor in the IoT device is valid.

System 300 may include more or less devices than illustrated in FIG. 3,which is shown by way of example only.

Also, FIG. 3 illustrates one example application for a multi-coreprocessor, namely, use in an IoT device. Multi-core processors 345 mayalso be used in various other suitable applications and contexts otherthan in an IoT device and/or in an IoT context.

Illustrative Multi-Core Processor

FIG. 4 is a diagram illustrating an example of a multi-core processor445 with defense-in-depth architecture. FIG. 4 and the correspondingdescription of FIG. 4 in the specification illustrate an exampleprocessor for illustrative purposes that do not limit the scope of thedisclosure.

In some examples, multi-core processor 445 enables a device in whichmulti-core processor 445 is included to operate as an IoT device, suchas IoT device 341 or 342 of FIG. 3. In some examples, multi-coreprocessor 445 may have at least 4 MB of RAM and at least 4 MB of flashmemory. However, this is merely an example of one possibleimplementation. Other processors may include various combinations ofless, or more, RAM and/or flash memory. In some examples, multi-coreprocessor 445 provides not just network connectivity, but various otherfunctions including hardware and software security, a monitoredoperating system, cryptographic functions, peripheral control,telemetry, and/or the like. In addition, multi-core processor 445 mayinclude technology for allowing the device to be booted in a securemanner, allowing the device to be securely updated, ensuring that propersoftware is running on the device, allowing the device to functioncorrectly as an IoT device, and/or the like.

Multi-core processor 445 is arranged as follows in some examples.Multi-core processor 445 includes security complex 469, securemicrocontroller (MCU) 460, general purpose CPU 470, at least oneinput/output (I/O) MCU 480, and radio core 490. Secure MCU 460 mayinclude secure MCU read-only memory (ROM) 461, secure MCU first bootloader 462, and secure MCU runtime 463. CPU 470 may be an applicationprocessor that includes Secure World (SW) runtime 471, Normal Worldoperating system (OS) 472 that operates in supervisor mode, Normal Worlduser-mode services 473, and Normal World user-mode applications 474.Each I/O MCU 480 may include MCU services 481 and MCU applications 482.Radio core 490 may include radio firmware 491.

In some examples, security complex 469 is the hardware root of trust inmulti-core processor 469. In some examples, security complex 469 isdirectly connected to secure MCU 460. In some examples, secure MCU 460has a very high degree of trust, but is less trusted than securitycomplex 469. In these examples, secure MCU 460 controls one or morefunctions that require a very high degree of trust. In one example,secure MCU 460 controls power for multi-core processor 445 and/or an IoTdevice.

In some examples, CPU 470 runs a high-level operating system. In someexamples, CPU 470 has two independent execution environments: a SecureWorld (SW) runtime 471 and a Normal World execution environment. Theterm “Secure World” is used broadly to refer to a trusted environmentand is not limited to a particular security feature. In some examples,the Secure World runtime 471 of CPU 470 is also part of the trustedcomputing base of the system. In some examples, the Secure World runtime471 of CPU 470 does not, however, have access to the internals of coresecurity complex 469 and relies on secure MCU runtime 463 for particularsecurity-sensitive operations.

The Normal World execution environment of the CPU 470 may be configuredto have limited access to such on-chip resources as memories. In someexamples, the code running in this environment must still meet certain(e.g., relatively high) standards of security and quality but is lesstrusted than either the code running on the secure MCU 460 or the coderunning in Secure World runtime 471 on the CPU 470.

In some examples, the I/O MCU cores 480 are less trusted than the secureMCU 460 and CPU 470, and as such, in some examples the CPU's SecureWorld environment is responsible for configuring the firewalls ofmulti-core processor 445 to limit the access of I/O MCU 480 to on-chipresources.

In some examples, radio core 490 executes vendor-provided firmware. Theradio core 490 may provide radio functionality and connectivity to theInternet and cloud services such as IoT services. In some examples,radio core 490 may provide communications via Wi-Fi, Bluetooth, and/orother connectivity technology. But as with the I/O MCU 480, in someexamples, the CPU 470 is responsible for configuring the firewalls tolimit the access of radio core 490 to on-chip resources. In someexamples, radio core 490 does not have any access to unencryptedsecrets, and is not capable of compromising the execution of secure MCU460 or the CPU 470.

In some examples, each independent execution environment is managed by asingle software component executing in a separate execution environmentthat is referred to the “parent” of the execution environment. In suchexamples, one exception may be that the hardware root of trust (securitycomplex 469 in this example) has no parent. In one particular example,each parent executes in an environment that is at least as trusted asthe environments it manages. In other examples, other suitable means ofsecurity may be employed. Management operations may include booting andresuming the target environment, monitoring and handling resets in thetarget environment, and configuring access policy for the targetenvironment. In some cases, certain management operations are performedby a component other than a parent. For instance, in some examples,CPU's Normal World is the environment that manages I/O MCU 480, butreceives assistance from CPU Secure World runtime 471 to do so (e.g. toconfigure firewalls, and to program the starting instructions of the I/OMCU 480).

For instance, in some examples, secure MCU runtime 473 manages SecureWorld runtime 472, a component in Secure World runtime 471 managesNormal World OS 472, a component in Normal World OS 472 manages NormalWorld user-mode services 473 and applications 474, and Normal Worlduser-mode services 473 manages the I/O MCU 480 and the radio core 490.

In some examples, not only are independent execution environmentsmanaged by a software component from a more trusted executionenvironment, but different functions are assigned to the differentindependent execution environments, with more sensitive functionsassigned to more trusted independent execution environments. In oneparticular example, independent execution environments less trusted thanthe independent execution environment to which it is assigned arerestricted from having access to the function. In this way, theindependent execution environments achieve defense-in-depth based on ahierarchy of trust. In other examples, other suitable means of securitymay be employed.

For instance, in some examples, security complex 469 is at the top ofthe hierarchy and is assigned to secrets (e.g., encryption keys), secureMCU runtime 463 is next in the hierarchy and is assigned to controllingpower, Secure World runtime 471 is next in the hierarchy and is assignedto storage and to write access to a real time clock (RTC), Normal WorldOS 472 is next in the hierarchy and is assigned to managing radiofunctionality, Normal World user-mode applications 474 is next in thehierarchy and is assigned to applications, and the I/O MCU 480 are atthe bottom of the hierarchy and are assigned to peripherals. In otherexamples, functions are assigned to independent execution environmentsin a different manner.

In some examples, each level of the hierarchy of trust except for thebottom (i.e., least trusted) level of the hierarchy has complete controlto accept or reject any requests from a less trusted level, e.g., interms of implementing support for the software they handle, and have theability to rate limit or audit the requests from less trusted levels andto validate requests from lower levels to ensure that the requestscorrect and true. Also, as previously discussed, in some examples, eachlevel of hierarchy except the top (i.e., most trusted) level has aparent that is responsible for managing the lower (i.e., less trusted)level, including monitoring the software of the lower level and ensuringthat the software on the lower level is running correctly.

In some examples, the layers of the hierarchy make use of securecommunications channels and firewalls. For instance, in some examples,secure MCU runtime 471 has two message queues, configured such that,based on the hardware, one of the queues can only be used in SecureWorld, and one that can be used from Normal World. In one particularexample, if a message comes from the Secure World queue, then based onthe hardware the message must have come from the Secure World, and istherefore more trusted than a message that came from Normal World. Inother examples, other suitable means of security may be employed.

Additionally, in some examples, apart from the highest layer of thehierarchy, no layer of the hierarchy starts without a higher level ofthe hierarchy having validated the layer and, after validating thelayer, allowed the layer to start. Also, in these examples, a layer ofthe hierarchy has the ability to stop any lower level of hierarchy, forexample, at any time. Accordingly, in these examples, multi-coreprocessor 445 has the software capability of each layer of the hierarchyhaving complete dominance over lower (i.e., less trusted) levels of thehierarchy in terms of stopping and starting and running of the lowerlevels of the hierarchy.

In some examples, security complex 469 is the hardware root of trust andthe highest, most trusted level of the defense-in-depth trust hierarchy.In some examples, security complex 469 contains keys, secrets,encryption engines, and/or the like. In some examples, security complex469 stores secrets, performs functions such as key generation,encryption, decryption, hashing, other cryptographic functions, othersecurity-related functions, and/or the like. In some examples, securitycomplex 469 is able to check the secret value stored in a one-waywritable memory such as an e-fuse, one time programmable element, and/orthe like.

In some examples, when multi-core processor 445 is powered on and itspower management unit (PMU) has stable power, the PMU releases thesecurity complex 469 from reset. In some examples, the security complex469 is at the core of multi-core processor 445's trusted computing base.In some examples, core security complex 469 drives the secure bootprocess. In one particular example, cores are restricted from executingcode until the security complex 469 has enabled it to do so. In otherexamples, other suitable means of security may be employed.

In some examples, execute in place (XiP) is not used on the secure MCU460, in order to avoid the possibility of undetected runtime writes toflash resulting in untrusted code executing on secure MCU 460. In oneparticular example, the ROM 461 and runtime 463 instead ensure that codeexecuting on secure MCU 460 is copied into the private SRAM of secureMCU 460 from flash and validated before executing. In other examples,other suitable means of security may be employed.

In some examples, the secure MCU 460 does not contain a memorymanagement unit (MMU), but does contain a memory protection unit (MPU)that can be used to provide some safeguards-such as controlling thereadability, writability, and executability of portions of the physicaladdress space. The MPU may be used in this fashion, e.g. marking stacksand memory-mapped flash as no-execute.

In some examples, secure MCU ROM 461 is responsible for initializingenough of multi-core processor 445 so that the first piece of softwarestored in flash can securely execute on the secure MCU 460.

In some examples, upon entry, the code in secure MCU ROM 461 waits forindication that the secure MCU 460 has completed initialization, readsthe e-fuse indicating the device's security state, configures PhaseLocked Loops (PLLs) to set the desired steady-state, clock frequency,and enables memory mapping of flash (e.g., for all cores). In someexamples, although the secure MCU 460 does not execute code directlyfrom flash, it does leverage this mechanism to read and copy data fromflash to its SRAM.

In these examples, after it has completed this configuration, the codein ROM 461 is responsible for loading and transferring control to secureMCU boot loader 462, which is the first-level boot loader of secure MCU460. In some examples, secure MCU boot loader 462 is found in flash,both encrypted and signed, at known locations. In these examples, theROM code validates the code, and loads it into the private SRAM ofsecure MCU 460. In some examples, secure MCU boot loader 462 containsthe first instruction of non-ROM code executed on Multi-core processor445, and is a fixed size (e.g., 16 k) raw binary. In some examples,secure MCU boot loader 462 is responsible for loading, validating, andtransferring control to the secure MCU Runtime 463, setting up thedevice's software key store, implementing a low-level “recovery mode”for re-programming flash (used for development purposes, and possiblyalso for in-the-field updates-appropriately secured), applyingupdates/rollbacks, and configuring and kicking a secure watchdog timerin secure MCU 460 (until the secure MCU runtime 463 takes control).

Much like the ROM code before it, in these examples, secure MCU bootloader 462 locates the secure MCU runtime code in flash, validates thecode, loads the code into the private SRAM of secure MCU 460, andtransfers control to the code. In some examples, once secure MCU bootloader 462 has transferred execution in this way, secure MCU boot loader462 will not regain control, and secure MCU boot loader 462 will notremain resident in the SRAM of secure MCU 460 after secure MCU bootloader 462 has finished executing.

In some examples, secure MCU runtime 463 is responsible for managing theCPU's Secure World environment. In some examples, secure MCU is alsoresponsible for managing and controlling power domains and othercritical components, e.g., properly setting up debug enabling signalsfor other cores, powering on or off different domains on multi-coreprocessor 445, re-configuring and kicking the own watchdog timer ofsecure MCU 460 (taking over for secure MCU boot loader), configuring thewatchdog timer of CPU 470 and responding to its reset interrupt, andwaking up a core (CPU 470 or I/O MCU 480) that has been powered off butreceived an interrupt. In some examples, secure MCU runtime 463 isresponsible for monitoring Secure World runtime 471 of the CPU 470 toensure that Secure World runtime 471 is running correctly and to resetSecure World runtime 471.

Secure MCU runtime 463 interacts with security complex 469 to requestthat core security complex 469 perform tasks associated with coresecurity complex 469. For instance, secure MCU runtime 463 may requestsecurity complex 469 to extract keys, or to request that securitycomplex 469 do something with the extracted keys, to request thatsecurity complex 469 generate a pin number, to request that something beencrypted by security complex 469 and the encrypted version returned tosecure MCU runtime 463, and/or the like. In some examples, secure MCUruntime 463 acts in essence as the operating system for security complex469.

Secure World on the CPU 470 may have a trust zone that creates a privateindependent execution environment that is hardware-protected from therest of multi-core processor 445. Secure World may have a runtime,Secure World runtime 471. In some examples, the Secure World environmenton the CPU 470 is part of multi-core processor 445's trusted computingbase, and as such does not execute third-party code. For example, SecureWorld may have its own kernel and user mode processes. Secure Worldruntime 471 may be responsible for protecting security-sensitivehardware resources on multi-core processor 445, safely exposing limitedaccess to these resources, and acting as a watchdog for the CPU 470'sNormal World environment of Normal World OS 472, Normal World userservices 473, and Normal World applications 474. For instance, in someexamples, Secure World runtime 471 is responsible for monitoring NormalWorld OS 472, ensuring the Normal World OS 472 is running correctly, andresetting Normal World OS 472. In some examples, Secure World runtime471 is responsible for forwarding requests to secure MCU 463 runtimefrom layers that do not have access to secure-MCU 463 runtime.

In some examples, the CPU 470 does not contain ROM code; instead, CPU470 contains an 8-byte volatile memory that contains the firstinstruction(s) for it to execute upon being taken out of reset. In theseexamples, before the CPU 470 is taken out of reset, the 8-byte volatilememory is programmed by the secure MCU 460 to contain a branch to thefirst instruction of the CPU Secure World runtime 471, executing fromshared SRAM. In some examples, CPU 470 is configured such that the codethat executes in Secure World runtime 471 executes from a range of SRAMthat is configured to be inaccessible to Normal World 472-474.

In some examples, Secure World runtime 471 is also responsible forbooting Normal World environment on the CPU 470, exposing runtimeservices to software running in Normal World, access to real-time clock(RTC), I/O MCU 480 management API, radio core 490 management API,managing silicon components not accessible to Normal World (and which donot need to be managed by the secure MCU 460), interacting with theflash controller in macro mode, programming a direct memory access (DMA)engine of CPU Secure World 471, configuration of all firewalls,configuration of the core I/O mapping, handling interrupts indicatingfirewall violations, taking I/O MCU 480 and radio 490 cores out ofreset, configuring watchdog timers for I/O MCU 480 cores, configuringthe Real-time clock (RTC), and managing updates for certain softwarecomponents. Because Secure World also contains multiple hardware modes(i.e. supervisor mode, user mode), the Secure World runtime 471 mayinternally span multiple modes for additional defense-in-depth.

In some examples, Secure World runtime 471 operates below secure-MCUruntime 463 in the trust/defense-in-depth hierarchy, but above NormalWorld OS 472 in the hierarchy. In these examples, whereas secure-MCUruntime 463 can, for instance, request that core security complex 469generate a pin number, Secure World runtime 471 cannot. Also, in theseexamples, whereas secure-MCU runtime 463 has access to power, SecureWorld runtime 471 does not. However, in these examples, Secure Worldruntime 471 is in charge of managing storage, and layers of thehierarchy below Secure World runtime 471 do not have access to storage.

As discussed, in some examples, the Secure World environment of CPU 470is a hardware-protected private execution environment of CPU 470. Therest of the software environment of CPU 470, other than the Secure Worldenvironment, is the Normal World environment. There are registers thatthe Secure World can read but the Normal World cannot in some examples.The Normal World environment may include a supervisor mode and a usermode. The supervisor mode of the Normal World environment of CPU 470 mayinclude Normal World OS 472. The user mode of the Normal Worldenvironment of CPU 470 may include Normal World user services 473 andNormal World user applications 474.

In some examples, Normal World OS 472 is responsible for managing theresources for Normal World user applications 474. In some examples,Normal World OS 472 is responsible for managing radio functionality, andlayers hierarchically below (i.e., less trusted than) Normal World OS472 do not have direct access to radio functionality, but instead accessradio functionality indirectly via Normal World OS 472.

In some examples, in CPU Normal World user-space, a set of user services473 are run that are responsible for: booting I/O MCU 480 (withassistance from Secure World runtime 471), booting the radio core 490(with assistance from Secure World runtime 471), publishing devicetelemetry to IoT services, publishing diagnostic information to IoTservices, receiving and applying software updates from IoT services, andhandling reset interrupts from I/O MCU 480 watchdog timers.

In some examples, the CPU Device API internally leverages Normal Worlduser Runtime Services 473, and abstractly provides third-partyapplication Code hosted on the CPU (in Normal World) with access to thefollowing functionality: publishing device telemetry, publishingdiagnostic information, communicating with I/O MCU 480, controlling andissuing I/O to peripheral, and application Code. In some examples,product manufacturers and other customers of multi-core processor 445may author third-party code to execute on the CPU 470 in Normal World.In some examples, the code is able to use the CPU Device API, and maycoordinate with I/O runtimes executing on I/O MCU 480.

In some examples, multi-core processor 445 contains two “I/O” MCUs 480intended for sensing and actuation. In some of these examples, neitherI/O MCU 480 contains any ROM code. Instead, in these examples, each I/OMCU 480 contains an 8-byte volatile memory mapped at a particularphysical address. When an I/O MCU 480 starts executing, it may fetch itsinitial instructions from this address. Before each I/O MCU 480 is takenout of reset, the 8-byte volatile memory may be programmed by the CPU470 to contain a branch to the first instruction of an I/O MCU Loader,XiP from flash.

In some examples, a company can use the I/O MCU 480 microcontrollers toinclude the code that is on their existing microcontrollers, which mayallow a company to replace their existing microcontroller functionalitywith multi-core processor 445.

In some examples, multi-core processor 445's radio stack executes onradio core 490 programmed by the silicon vendor producing the chip.

While FIG. 4 illustrates a particular example of multi-core processor445, many other examples of multi-core processor 445 are possible. Forinstance, the number and type of independent execution environments mayvary in different examples. In some examples, multi-core processor 445has at least two general purpose cores with differing capabilities, sothat multi-core processor 445 has heterogeneous cores. The at least twogeneral purpose cores with differing capabilities may be at least amicrocontroller and a CPU in one example, while other general purposecores with different capabilities are used in other examples. The twocores are general purpose in that any suitable code can be run on thecores. For example, the MCU microcontroller and the CPU are generalpurpose cores, whereas a graphic processing unit (GPU) is not ageneral-purpose core; rather, a GPU is used to process specific types ofcalculations, and can runs certain types of executions. While the twocores in multi-core processor 445 are both general purpose and each canrun any suitable code, they have differing capabilities from each other.Although the CPU and the MCU microcontroller are both general-purposecores, the CPU is generally more powerful than the MCU and can executeinstructions that the MCU microcontroller cannot. This is but oneexample of two general purpose cores with differing capabilities. Whilespecific cores are discussed herein, such as the CPU and the MCU, inother examples, other general purpose cores may be employed such as anygeneral purpose CPU, microcontroller, or the like. Also, variousquantities of cores may be employed in various examples.

Also, in various examples, different functions may be assigned todifferent levels of the hierarchy. For instance, in the example ofmulti-core processor 445 illustrated in FIG. 4, the function ofcontrolling power is assigned to a more trusted level of the hierarchythan the function of managing storage. However, in other examples, thefunction of managing storage is assigned to a more trusted level of thehierarchy than the function of controlling power.

Multi-core processor 445 may use a secure key store to store keys andother secrets. For examples, some of the keys in the secure key storemay be used for validating signatures to software, e.g., to ensure thatthe software is genuine and valid.

In some examples, when multi-core processor 445 is powered on and itsPMU has stable power, the PMU releases the security complex 469 fromreset. In some examples, secure MCU ROM 461 is responsible forinitializing enough of multi-core processor 445 so that the first pieceof software stored in flash can securely execute on the secure MCU 460.In some examples, the ROM code on secure MCU ROM 461 waits forindication that the secure MCU 460 has completed initialization, readsthe e-fuse indicating the device's security state, configures PLLs toset a clock frequency, and enables memory mapping of flash (e.g., forall cores).

In these examples, after it has completed this configuration, the codein MCU ROM 461 is responsible for loading and transferring control tosecure MCU boot loader 462, which is the first-level boot loader ofsecure MCU 460. In some examples, the first boot loader is stored inflash. In some examples, the first boot loader is encrypted and signedwith a global private key that is part of a public/private key pair. Insome examples, the code in MCU ROM 461 reads the first boot loader. Insome examples, the ROM code in MCU ROM 461 calculates a hash of thefirst boot loader and verifies the first boot loader with a globalpublic key. In some examples, in response to verification, the code inMCU ROM 461 causes the first boot loader to be loaded into the privateSRAM of secure MCU ROM 460 and booted.

In some examples, the validation of the signature of the first bootloader provides assurance that the first boot loader is genuine and/orvalid. Although the first boot loader may be signed with the globalprivate key, for a number of reasons, including exposure risk, it is notnecessarily desirable for all software to be signed with the globalprivate key. Further, some devices are designed such that the first bootloader should not be altered during the device lifetime. However, othersoftware may be designed to be updated, e.g., in the field, afterdeployment, etc., and the updating of this other software may beassociated with a new signature for such updated software. Accordingly,instead of using the global private key to sign all software, a numberof different keys may be used. However, in some examples, secure MCU ROM461 stores the global public key, but does not store all of theadditional keys that would be needed to validate the software.

Accordingly, a secure key store may be used to secure the other keysused for validation of signatures of software. In some examples, thesecure key store is on flash memory. In some examples, the secure keystore is encrypted and/or signed with a mutated key that may be derivedas follows.

In some examples, each multi-core processor 445 has a secret, unique,per-device key. In some examples, the per-device key is an AdvancedEncryption Standard (AES) key that is stored in hardware. In someexamples, the per-device key can be used in particular authorized ways,including to generate a mutation of the per-device key, but software maybe disallowed from reading the per-device key itself, e.g., because thehardware that stores the per-device key does not allow software to readthe per-device key. Instead the hardware may allow the particularauthorized actions to be performed. In some examples, after booting thefirst boot loader, secure MCU ROM 460 mutates the per-device key basedon the hash of the first boot loader to derive a first mutated key.Secure MCU ROM 460 may cause the first mutated key to be stored in theprivate SRAM of secure MCU ROM 460. Mutating a key may interchangeablybe referred to as key derivation or performing a key derivationfunction. The first mutated key may be deterministic because it isgenerated from the first boot loader, which, in some examples, does notchange during the lifetime of multi-core processor 445.

Next, in some examples, the first bootloader is booted.

The first bootloader may generate a second mutated key based on thefirst mutated key and a random seed. The second mutated key may be usedfor the encryption, decryption, signing, and/or validation of the securekey store.

On an initial/first boot of a device, keys, hashes, and other secretsmay be determined and stored in the secure key store flash memory, andencrypted and/or signed with the second mutated key. Among other things,the keys used for validation the software stages that boot after thesecure MCU runtime may be stored in the secure key store. Accordingly,on initial boot, the secure key store may be created on flash memory andencrypted and/or signed with the second mutated key. In some examples,as discussed above, the random seed is used to derive the second mutatedkey on the initial boot, and the random seed is stored and is notsecret. Accordingly, in some examples, on subsequent boots, the flashmemory contains a secure key store that can be decrypted and/orvalidated with the second mutated key. Also, in some examples, onsubsequent boots, the same second mutated key should be generated as theinitial boot, because the per-device key should be the same as theinitial boot and the hash of the first boot loader should be the same asthe initial boot, and the same random seed is used.

In addition to generating the second mutated key as discussed above, thefirst bootloader may generate one or more additional mutated keys fromthe first key and a separate corresponding persistent and validatedrandom number. Next, in some examples, the first boot loader locates thesecure MCU runtime 463 code in flash, reads the secure MCU runtime 463code, and calculates a hash of the secure MCU runtime 463 code. In someexamples, secure MCU runtime 463 calculates a hash of Secure Worldruntime 471. In some examples, the first boot loader encrypts and/orsigns (using the second mutated key) and stores in flash memory the hashof the secure MCU runtime 463 code in the secure key store in flashmemory. In some examples, the first bootloader than finishes execution.The first mutated key is not available after the first bootloaderfinishes execution until multi-core processor 445 reboots.

In some examples, the Secure World runtime 471 encrypts and/or signs(using the second mutated key) and stores in flash memory the hash ofthe Normal World OS in the secure key store flash memory.

In some examples, the Normal World OS 472 encrypts and/or signs (usingthe second mutated key) and stores in flash memory the hash of NormalWorld user applications 474 from the secure key store in flash memory.

In some examples, the hash calculation and signing of the currentsoftware stage continues for the remaining stages in a similar manner.

On subsequent boots, as previously discussed, in some examples, thesecond mutated key is regenerated and used to decrypt the secure keystore. In some examples, after the second mutated key is regenerated,the first boot loader locates the secure MCU runtime 463 code in flash,reads the secure MCU runtime 463 code, and calculates a hash of thesecure MCU runtime 463 code.

In some examples, on subsequent boots after the first boot loader hascalculated the hash of the secure MCU runtime 463 code, the first bootloader reads from the secure key store in flash memory and decryptsand/or validates the hash of the secure MCU runtime 463 code stored inthe secure key storage. In some examples, the first boot loader thenvalidates secure MCU runtime 463. The validation may include comparingthe hash of the MCU runtime 463 code calculated during this boot withthe stored hash of the secure MCU runtime 463 code, and using a publickey for the secure MCU runtime 463 to validate the signature of thesecure MCU runtime 463. In some examples, the public key for the secureMCU runtime 463 is stored in hardware, and the public key for subsequentsoftware stages are stored in the secure key store. In some examples, inresponse to validation of the secure MCU runtime 463, the first bootloader loads the secure MCU runtime 463 into private SRAM and transferscontrol to the secure MCU runtime 463 code, causing the secure MCUruntime 463 to be booted.

In some examples, each subsequent stage boots sequentially in a similarmanner, with each stage being sequentially validated and booted by itsparent in the trust hierarchy. For example, the MCU runtime 463 may beresponsible for validating and booting the Secure World runtime 471, theSecure World runtime 471 may be responsible for validating and bootingthe Normal World OS 472, the Normal World OS 472 may be responsible forvalidating and booting the Normal World user applications 474, and theNormal World user applications 474 may be responsible for validating oneor more I/O MCUs 480.

For instance, in some examples, secure MCU runtime 463 calculates a hashof Secure World runtime 471. In some examples, the secure MCU runtime463 reads from the secure key store in flash memory and decrypts and/orvalidates the public Secure World runtime public key and the hash of theSecure World runtime 471 code. The secure MCU runtime 463 may thenvalidate Secure World runtime 471. The validation may include comparingthe hash of the Secure World runtime 471 calculated during this bootwith the stored hash of the Secure World runtime 471 code, and using thesecure MCU runtime public key to validate the signature of the SecureWorld runtime 471. In some examples, in response to validation of theSecure World runtime 471, the secure MCU runtime 463 loads the SecureWorld runtime 471 into private SRAM and causes the Secure World runtime471 to be booted.

In some examples, the Secure World runtime 471 reads from the secure keystore in flash memory and decrypts and/or validates the Normal World OSpublic key and the hash of the Normal World OS 472 code. In someexamples, the Secure World runtime 471 then validates Normal World OS472. The validation may include comparing the hash of the Normal WorldOS 472 calculated during this boot with the stored hash of the NormalWorld OS 472 code, and using the Normal World OS public key to validatethe signature of the Normal World OS 472. In some examples, in responseto validation of the Normal World OS 472, the Secure World runtime 471loads the Normal World OS 472 into SRAM for the Secure World of CPU 470and causes the Normal World OS 472 to be booted.

In some examples, the sequential validation and booting continues forthe remaining stages to be booted in a similar manner, with each stagebeing sequentially validated and booted by its parent in the trusthierarchy, and with the mutated key being read from the secure key storeand then decrypted and/or validated with the second mutated key.

During any of the validation stages, validation may possibly failbecause the software is not genuine, because the software was corrupted,because an attacker is trying to break into the device, and/or the like.In some examples, if validation fails at any stage, then neither thatstage nor any subsequent stages are booted, and any keys, hashes, and/orsecrets in memory (SRAM) are erased. Use of the first mutated key mayalso be restricted, e.g., to use for generation of other key(s). In thisexample, once the other key(s) are generated, the first mutated key maybe erased, e.g., by a clearing of the register in which it is stored

In some examples, a device may be designed such that the secure MCU 460ROM code and the first bootloader are not intended to be updated. Othersoftware/stages however, may be updated one or more times during thedevice lifetime, and some may be updated frequently. In some examples,during an update, prior to the update itself, the Secure World firstverifies the pending update, and hashes the updated code. In someexamples, the secure MCU runtime 463 then updates, in the flash memory,the hashes and keys for any stage that are to be updated, and generatesa signature for any updated stages.

In some examples, the secure key store may also be used to store othersecrets, including user-provided secrets such as network credentials, orother information to be protected from potential attackers. In someexamples, these additional secrets may be stored on the secure key storein flash memory may also be encrypted and/or signed with the secondmutated key.

After boot is complete, multi-core processor 445 may communicate over anetwork for IoT services, for example, via communication with an IoTsupport service such as IoT support service 351 of FIG. 3. In someexamples, IoT support service 351 may request and/or require the IoTdevice containing multi-core processor 445 to remotely attest to thevalidity of the software running on the IoT device or multi-coreprocessor 445 as part of the connection process, and/or before anyfurther messages, work, or information may be exchanged. Remoteattestation may be used to verify that the software in the IoTdevice/executing on the multi-core processor is valid. As one example,IoT support service 351 may send a challenge over the network tomulti-core processor 445 in response to a connection request, a requestfor IoT services, or other communication from the IoT device.

In some examples, hardware in secure MCU 460 generates a response to thechallenge, making use of, among other things, a private attestation keystore in hardware in secure MCU 460, and two registers in secure MCU 460that may be referred as DR0 and DR1 in some examples.

In some examples, the private attestation key is stored in hardware bysecure MCU 460 and access is restricted to secure MCU 460. In someexamples, the private attestation key is part of a public/private keypair, and IoT support service 351 has the public attestation key thatcorresponds to the private attestation key.

In some examples, register DR1 is a fully readable and writableregister. In some examples, register DR0 is an accumulation register. Insome examples, the value of DR0 is readable and is not secret. In someexamples, the value of DR0 is reset to zero (or some other defaultvalue) on device reboot. In some examples, modification of the value ofthe DR0 register is limited to operations that cryptographically appenda value to the DR0 register.

In some examples, during the secure boot of multi-core processor 445, aspreviously discussed, various stages are sequentially booted, with eachstage being validated and booted by its parent in the trust hierarchy.For instance, in some examples, as discussed above, secure ROM 461 isresponsible for booting the first boot loader, the first boot loader isresponsible for booting the MCU runtime 463, the MCU runtime 463 may beresponsible for next booting the Secure World runtime 471, the SecureWorld runtime 471 may be responsible for next booting the Normal WorldOS 472, the Normal World OS 472 may be responsible for next booting theNormal World user applications 474, and the Normal World userapplications 474 may be responsible for next booting one or more I/OMCUs 480.

As discussed above, prior to or in conjunction with booting eachsoftware stage, a hash may be taken of that software stage. For example,a hash may be generated of the first boot loader prior to, or inconjunction with, booting the first boot loader, a hash of the MCUruntime 463 may be generated prior to, or in conjunction with, bootingthe MCU runtime 463, a hash of the Secure World runtime 471 may begenerated prior to, or in conjunction with, booting the Secure Worldruntime 471, a hash of the Normal World OS 472 may be generated priorto, or in conjunction with, booting the Normal World OS 472, and so on.Hashes may also be generated for the subsequent software stages that arebooted during the secure boot process. In some examples, as a hash isgenerated for each software stage, the hash of that software stage iscryptographically appended to accumulation register DR0.

After booting, multi-core processor 445 may attempt to communicate withIoT services, and may receive a challenge in response. In some examples,in response to a challenge, multi-core processor 445 hardware in secureMCU 460 generates a response to the challenge. The challenge may bestored in register DR1. In some examples, the response to the challengeincludes the DR0 value and the DR1 value, where the DR1 value is thechallenge. In some examples, the response to the challenge is alsosigned by the hardware in secure MCU 460 with the private attestationkey for the device. In some examples, the response to the challengegenerated by hardware in secure MCU 460 is then sent from multi-coreprocessor 445 to the IoT support service.

The IoT support service may verify the response to the challenge,including verifying the values and validating the signature. The DR0value from the response may be used to verify that the multi-coreprocessor 445 has the software that the IoT support service expects thatdevice to be executing. In some examples, the IoT support service hasthe correct value that corresponds the hash of each software stage thatmulti-core processor should be executing. The signature may be validatedto verify that the response came from the multi-core processor, ratherthan another party

In some examples, if the signature is valid, it may be taken as averification that the DR0 value in the response to the challenge wascalculated, as expected, by cryptographically appending a hash of eachbooted software stage.

FIG. 4 illustrates one specific example of a multi-core processor forwhich remote attestation may be employed, by way of example. Remoteattestation may also be employed for other examples of multi-coreprocessors. FIG. 4 illustrates an example that includes a secure MCUwith the hardware root of trust, a CPU executing a Secure Worldenvironment and a Normal World environment, and other MCUs with a lowerlevel of trust. In this example, the secure MCU is the first core thatis booted, followed by a CPU (with the Secure World executionenvironment booted before the Normal World execution environment),followed by the other MCUs. Other examples may include other coresand/or other trust hierarchies than the specific example of FIG. 4,which is given by way of example only.

In some examples, multi-core processor 445 includes at least two coresincluding at least a first general purpose core and a second generalpurpose core in which the first and second general purpose cores havedifferent capabilities, and which boot sequentially according to a chainof trust that corresponds to a hierarchy of trust in which one of thegeneral purpose cores is more trusted than the other general purposecore, with the more trusted general purpose core being validated andbooted before and the less trusted general purpose core. The cores neednot correspond to the particular cores illustrated in FIG. 4, which isbut one example.

FIGS. 5A-5B are a flow diagram illustrating an example process forremote attestation for a multi-core processor, that may be performed bythe multi-core processor, such as the multi-core processor of FIG. 3and/or FIG. 4.

In the illustrated example, step 581 occurs first. At step 581, in someexamples, a private attestation key is stored in hardware. As shown,step 582 occurs next in some examples. At step 582, in some examples, afirst software stage is read. As shown, step 583 occurs next in someexamples. At step 583, in some examples, a hash of the current softwarestage is calculated. As shown, step 584 occurs next in some examples. Atstep 584, in some examples, the calculated hash of the current softwarestage is cryptographically appended to an accumulation register toupdate a value of the accumulation register.

As shown decision step 585 occurs next in some examples. At decisionstep 585, in some examples, a determination is made as to whether all ofthe software stages have been booted. If not, the process proceeds tostep 586 in some examples. At step 586, in some examples, the nextsoftware stage to be booted is read. As shown, the process then moves tostep 583 in some examples. In some examples, the software stages to bebooted include at least a first bootloader, a runtime for a first core,and a runtime for a first execution environment for a second core.

If instead the determination at decision step 585 is positive, step 587occurs next in some examples. At step 587, in some examples, a challengeis received. As shown, step 588 occurs next in some examples. At step588, in some examples, a response to the challenge is generated, suchthat the response to the challenge includes the challenge and the valueof the accumulation register, and such that the response is signed bythe private attestation key. As shown, step 589 occurs next in someexamples. At step 589, in some examples, the response to the challengeis sent. The process may then proceed to the return block, where otherprocessing is resumed.

CONCLUSION

While the above Detailed Description describes certain examples of thetechnology, and describes the best mode contemplated, no matter howdetailed the above appears in text, the technology can be practiced inmany ways. Details may vary in implementation, while still beingencompassed by the technology described herein. As noted above,particular terminology used when describing certain features or aspectsof the technology should not be taken to imply that the terminology isbeing redefined herein to be restricted to any specific characteristics,features, or aspects with which that terminology is associated. Ingeneral, the terms used in the following claims should not be construedto limit the technology to the specific examples disclosed herein,unless the Detailed Description explicitly defines such terms.Accordingly, the actual scope of the technology encompasses not only thedisclosed examples, but also all equivalent ways of practicing orimplementing the technology.

We claim:
 1. An apparatus, comprising: a multi-core processor, includinga first core, a second core, and at least one memory adapted to storerun-time data, wherein the first core is adapted to executeprocessor-executable code that, in response to execution, enables theapparatus to perform operations, the operations including: sequentiallybooting a plurality of software stages for the apparatus, including, foreach software stage of the plurality of software stages: calculating ahash of that software stage; and cryptographically appending the hash ofthat software stage to an accumulation register as an update of a valueof the accumulation register, wherein the plurality of software stagesincludes a first bootloader, a runtime for a first core of a multi-coreprocessor, and a runtime of a first execution environment for a secondcore of the multi-core processor.
 2. The apparatus of claim 1, whereinthe plurality of software stages further includes an operating system ofa second execution environment for the second core.
 3. The apparatus ofclaim 1, the operations further comprising storing the challenge inanother register.
 4. The apparatus of claim 1, wherein the accumulationregister is arranged such that the value of the accumulation register islimited, by hardware, to being changed in one of the followingenumerated manners: being reset to a default value in response to areboot of the multi-core processor, and being changed by cryptographicalappending of a hash to a current value of the accumulation register. 5.The apparatus of claim 1, the operations further compromising making arequest for an IoT service, wherein the challenge is received inresponse to the request.
 6. The apparatus of claim 1, wherein the firstcore and the second core are general purpose cores with differingcapabilities, and wherein the first core and the second core areconfigured to have a defense-in-depth hierarchy in which the first coreis above the second core in the defense-in-depth hierarchy.
 7. Theapparatus of claim 1, wherein the order of the sequential bootcorresponds to a defense-in-depth hierarchy.
 8. The apparatus of claim1, wherein the first core is a secure microcontroller, and wherein thesecond core is a central processing unit.
 9. A method, comprising:sequentially booting a plurality of software stages for a multi-corecomputing device, including, for each software stage of the plurality ofsoftware stages: calculating a hash of that software stage; andcryptographically appending the hash of that software stage to aregister as an update of a value of the register, wherein the pluralityof software stages includes a first bootloader, a runtime for a firstcore of the multi-core device, and a runtime of a first executionenvironment for a second core of the multi-core device.
 10. The methodof claim 9, wherein the plurality of software stages further includes anoperating system for a second execution environment for the second core.11. The method of claim 9, further comprising storing the challenge inanother register.
 12. The method of claim 9, further compromising makinga request to an IoT support service, wherein the challenge is receivedin response to the request.
 13. The method of claim 9, wherein the firstcore and the second core are general purpose cores with differingcapabilities, and wherein the first core and the second core areconfigured to have a defense-in-depth hierarchy in which the first coreis above the second core in the defense-in-depth hierarchy.
 14. Themethod of claim 9, wherein the order of the sequential boot correspondsto a defense-in-depth hierarchy.
 15. A method, comprising: receiving, bya network connected device, a request to attest to validity of aplurality of software stages executing on the network connected device;and in response to the request, transmitting a cryptographically signedvalue representing the plurality of software stages, the value havingbeen generated by a sequential appending of a hash of each softwarestage of the plurality of software stages.
 16. The method of claim 15,wherein the plurality of software stages includes a bootloader for thenetwork connected device, a runtime for a first core of the networkconnected device, and an operating system for an execution environmentfor a second core of the network connected device.
 17. The method ofclaim 15, wherein the cryptographically signed value was generated inconjunction with a sequential booting of the plurality of softwarestages, and wherein at least one of the plurality of software stages wasbooted by another of the plurality of software stages.
 18. The method ofclaim 15, the further compromising: making a request for an IoT service,wherein the request to attest to the validity is received in response tothe request for the IoT service.
 19. The method of claim 15, wherein thenetwork connected device includes a first core and a second core,wherein the first core and the second core are general purpose coreswith differing capabilities, and wherein the first core and the secondcore are configured to have a defense-in-depth hierarchy in which thefirst core is above the second core in the defense-in-depth hierarchy.20. The method of claim 15, wherein the order of the sequentialappending corresponds to a defense-in-depth hierarchy for executionenvironments of the network connected device.